Verification Tool Skill

Shell command execution function detected

child_process

The skill directly executes commands from the `manifest.json` using `child_process.execSync` in the `run-verify.js` script. The `command` field in the manifest is populated from 'IA item in the current session' or 'user input' in update mode, allowing for arbitrary command injection.

const output = execSync(entry.command, { ... }); (run-verify.js, line 100); 'command': '{executable command}' (manifest.json structure, line 70); 'Create entry with user input (IA, type, command, expected)' (Update Mode, line 160)

In conjunction with arbitrary command execution, the `run-verify.js` script checks if `output.includes(entry.expected)`. An attacker could craft a command to read sensitive files and set `entry.expected` to a pattern found in the sensitive data, effectively exfiltrating information by observing the verification result.

const pass = output.includes(entry.expected) || entry.expected === 'exit-0'; (run-verify.js, line 105); 'expected': '{expected output or behavior}' (manifest.json structure, line 70)

The skill explicitly launches 'Work Agent (Task tool)' and 'Review Agent (Task tool)' to analyze the project's runtime environment, gathering detailed information about the system, entry points, and commands. This capability can be abused for extensive reconnaissance or to orchestrate further attacks via sub-agents.

Launch a Work Agent (Task tool) to determine: (line 35); Launch a Review Agent (Task tool, SEPARATE from Work Agent) (line 50)

The run-verify.js runner script executes arbitrary shell commands sourced directly from manifest.json entries via `execSync` with no sanitization, validation, or allowlisting. Any entity that can write to or influence manifest.json can achieve arbitrary command execution on the host system.

const output = execSync(entry.command, { timeout: entry.timeout || 30000, encoding: 'utf8', cwd: process.env.PROJECT_ROOT || process.cwd() });

The working directory for executed commands is taken from the unvalidated `process.env.PROJECT_ROOT` environment variable. An attacker who can set this variable could redirect command execution to an arbitrary directory, potentially enabling path traversal or execution of attacker-controlled scripts.

cwd: process.env.PROJECT_ROOT || process.cwd()

The skill creates a persistent executable script (.crabshell/verification/run-verify.js) on disk with no checksum, signature, or integrity verification. This file persists across sessions and can be modified by other processes or attackers to establish persistent malicious execution.

Create `.crabshell/verification/run-verify.js`: ... // Auto-generated verification runner

The skill creates and modifies `.crabshell/verification/manifest.json` and `run-verify.js`. If an attacker can influence the 'IA item in the current session' or 'user input' used to populate these files, they can inject malicious commands or logic that the agent will later execute, effectively poisoning the agent's operational knowledge base.

Create `.crabshell/verification/manifest.json` (line 60); For each IA item in the current session, create a verification entry: (line 65); Create entry with user input (IA, type, command, expected) (line 160)

The skill spawns multiple sub-agents (Work Agent and Review Agent via Task tool) whose prompts incorporate project-derived data (directory paths, runtime analysis results). If the project contains adversarial content (e.g., in filenames, README, or code comments), it could inject instructions into sub-agent prompts, constituting indirect prompt injection.

Launch a Work Agent (Task tool) to determine: ... Launch a Review Agent (Task tool, SEPARATE from Work Agent) to verify the analysis independently.